PCI Compliance and the PFI Process

ServiceTitle

Persistent Threat Modeling

MainContent

What is Persistent Threat Modeling?

Threat modeling is a systematic methodology for an organization to identify, classify, prioritize, and therefore rate enterprise threats. Identifying and rating threats based upon a thorough analysis and base lining of the organization's architecture makes it possible to address threats that present the greatest risk, while also providing solid countermeasures.

Threat modeling allows the organization to implement a structured approach to security based on business impact. It is a process that starts during the early phases of the design of layered defense and continues throughout the security life cycle. Persistent Threat Modeling allows the organization to get answers and recommendations rapidly, and scale the response and investigation efforts to reduce time, resources and impact.

Combating advanced persistent threats (APT) against the architecture and its assets and data requires a sustained, efficient, repeatable and effective strategy. Therefore, it becomes paramount that an organization can verify and validate compromises, collect evidence, contain and eradicate threats, and recover from impacts rapidly. SecureState’s Threat Modeling allows an organization to respond rapidly to threats and validated events, and build an extension of the organization’s response team to minimize the impact of the incident and accelerate the recovery effort.

Continue operations during a suspected attack by isolating and containing only suspected devices and activity.

Provides end-point analysis and full investigation.

Reduce the threat of sensitive, regulatory or proprietary information.

Expertise

SecureState consultants have the expertise to develop, adapt and innovate the readiness and response capabilities that counter advanced threats. SecureState’s consultants maintain and advance their security and consulting experience through industry-leading certifications, presenting at top security conferences, possessing advanced higher-education degrees, and providing regulatory and compliancy framework analysis for government, financial and industry institutions. Additionally, SecureState consultants include former communication officers, intelligence officers and CERT team leads that have experience providing, leading and creating response teams and security solutions for the U.S Government and Military, and Fortune 500 companies.

RELATED:

Our Approach and Methodology

Tab1Content

Through system and network baselining, network and host-based monitoring, and signature detection and creation, SecureState’s Threat Modeling is successful in identifying malicious activity and APT communication that suddenly becomes active or hides within legitimate traffic. SecureState’s Threat Modeling consists of four primary methodologies:

1. Preparation Controls

Active end-point and corporate penetration testing

Active testing of IR procedures and data collection

Ensure logging and monitoring and alerting are in place

Baseline systems and network activity

Data Discovery and Classification Controls

2. Real-time Monitoring and Intelligence Gathering Controls

Network and system communication traces

Incorporate emerging threats and prior IR intelligence

Data aggregation, correlation and alerting

Baseline threshold monitoring

System and Network baseline health checks

3. Real-Time Investigation Controls

Validation of threat events

Rapid containment and blocking strategies

Virtual IRT Deployment

4. Real-Time Host Interrogation Controls

Rapid investigation response

Correlation of system artifacts, trends and anomalous patterns

Evidence collection

Threat Intelligence

Threat intelligence is the heart of Persistent Threat Modeling; without it there would be no value. Threat Intelligence can be gathered through several methods: partnerships with law enforcement, government agencies, and security professionals. Primarily, however, Threat Intelligence should consist of the collected data and analysis of IR investigations and Penetration assessments. SecureState employs this primary method to enhance and build our attacks, trends, and evolving and emerging threat indicators. SecureState has a powerful differentiator with intelligence gathering and analysis: SecureState knows how organizations are compromised and impacted because we do hacking and IR exercises daily, and incorporate our results and analysis. SecureState has the ability to use cutting-edge attack techniques, monitor the attack methods and responses, develop custom threat indicators, and then correlate and combine with external threat sources and analysis – providing a dynamic and powerful monitoring solution. The ideal Threat Intelligence will combine integrated forensic, hacker and risk perspectives:

Incident Response Team members should actually sit down with the IT and security staff to help monitor and identify attacks while performing an active attack (i.e. penetration test) concurrently. This fosters a vehicle to monitor, collect, and develop attack and compromise indicators.

Intelligence should provide an integrated response to determine how, when, why, and where a compromise or incident occurred.

Proactively become part of other testing and evaluation professionals, and state and local responders, who are actively engaged in and manage incidents –share information, methodologies and intelligence.

All Seeing Solution - ARGUS

The ability to counter and contain advanced threats requires a solution that can rapidly reach out to endpoints and within the network to collect evidence and determine incident scope and business impact. ARGUS is a deployable solution that integrates within an organization’s environment and provides forward-reaching capabilities that follow the Persistent Threat Modeling Methodologies:

Monitor for rogue activity

Provide real-time alerts and active blocking

Provide persistent threat intelligence and trends

Perform data discovery and mapping

Perform remote penetration and IR testing

Provide live analysis of suspect system and network activity

Provide evidence repository for data collection and correlation

Monthly system health checks

What Makes Us Different

Tab2Content

By implementing a continuing Threat Modeling solution, the organization will rapidly know if an advanced and persistent threat has surfaced, significantly reducing the resources and time spent on containment, eradication and remediation:

Ability to adopt new signatures of an advanced threat or compromise

Ability to rapidly collect live data from suspect systems

Ability to identify anomalies, baseline breaches and compromise without the assistance from outside organizations or law enforcement

Ability to extend the Readiness and Response Team tactics, abilities and resources

Ability to continue operations by isolating and containing only suspected devices

Ability to provide end-point analysis and full investigation

Reduce the threat of sensitive, regulatory or proprietary information

Minimize the impact and costs of incident response

Ability to use SecureState’s MyState Security Portal to analyze and correlate intelligence